Date format problems in generated Search-UnifiedAuditLog

[gavsto]

The Search-UnifiedAuditLog command that gets generated seems to generate with dates and times in the local format. As a UK native our format of dd/mm/yyyy does not get accepted by that cmdlet, causing an error:

Cannot process argument transformation on parameter 'EndDate'. Cannot convert value "19/09/2019" to type "Microsoft.Exchange.ExchangeSystem.ExDateTime". Error: "String was not recognized as a valid DateTime."

[chingf0rd]

Can I also add to this too - we are seeing this issue on the latest v1.14.0 release and it is preventing us from collecting user tenant logs. However, I wonder if it is update of an associated PS module rather than Hawk itself:

Cannot process argument transformation on parameter 'EndDate'. Cannot convert value "31/10/2019" to type
"Microsoft.Exchange.ExchangeSystem.ExDateTime". Error: "String was not recognized as a valid DateTime."
+ CategoryInfo : InvalidData: (:) [Search-UnifiedAuditLog], ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Search-UnifiedAuditLog
+ PSComputerName : outlook.office365.com

[mik645]

Same problem here but in Italian:

[07/11/2019 11:58:37] - Searching Range 10/13/2019 00:00:00 To 10/13/2019 00:00:00
Get-Date : Impossibile associare il parametro 'Date'. Impossibile convertire il valore "10/13/2019 00:00:00" nel tipo "System.DateTime". Errore: "Stringa non riconosciuta come valore DateTime valido."
In C:\Program Files\WindowsPowerShell\Modules\HAWK\1.14.0\User\Get-HawkUserMailboxAuditing.ps1:65 car:44

•         [string]$RangeEnd = ((get-date $RangeStart).AddDays(5)).D ...
  

•                                        ~~~~~~~~~~~
  

  • CategoryInfo : InvalidArgument: (:) [Get-Date], ParameterBindingException
  • FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.GetDateCommand

[daruizcorrea]

I have had the same issue today when running the user investigation:
It seems that it is trying to go back to the start date for the tenant investigation dates selected (last 90 days) and it can only do the past 7 days instead.

[19/11/2019 11:18:32 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectoryStsLogon
[19/11/2019 11:18:32 AM] - Running Unified Audit Log Search
[19/11/2019 11:18:32 AM] - Search-UnifiedAuditLog -UserIds blah@blah.com -RecordType AzureActiveDirectoryStsLogon -StartDate '21/08/2019' -EndDate '22/08/2019' -SessionCommand Retur
nLargeSet -resultsize 1000 -sessionid 111832
Cannot process argument transformation on parameter 'StartDate'. Cannot convert value "21/08/2019" to type "Microsoft.Exchange.ExchangeSystem.ExDateTime". Error: "String was not recognized
as a valid DateTime."
+ CategoryInfo : InvalidData: (:) [Search-UnifiedAuditLog], ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Search-UnifiedAuditLog
+ PSComputerName : outlook.office365.com

[19/11/2019 11:18:32 AM] - [WARNING] - Unified Audit log returned no results.

[mailnikitako]

Hi!
It is a severe issue. Did anyone found an easy workaround? Also what about other log searches for tenant or user - they may also be executed with a wrong time set.
Thanks !

[sssseossss]

Hi!
ToShortDateString() is culture-sensitive.

To resolve the issue see the link below:
https://stackoverflow.com/questions/2182093/datetime-now-toshortdatestring-replace-month-and-day

[Absoblogginlutely]

As @sssseossss said, it looks like the start time can be cast into the correct language settings by using the information from https://blogs.technet.microsoft.com/dsheehan/2017/09/24/powershell-datetime-throws-the-error-string-was-not-recognized-as-a-valid-datetime/

I'm running some tests, but it looks like get-hawktenantauthhistory.ps1 can be fixed by updating the datetime[startdate] parameter to just $startdate and then adding the following after the try/catch statement.

`# Convert date format from https://blogs.technet.microsoft.com/dsheehan/2017/09/24/powershell-datetime-throws-the-error-string-was-not-recognized-as-a-valid-datetime/

#Extract the default Date/Time formatting from the local computer's "Culture" settings, and then create the format to use when parsing the date/time information pull from AD.

$CultureDateTimeFormat = (Get-Culture).DateTimeFormat

$DateFormat = $CultureDateTimeFormat.ShortDatePattern

$startdate = [DateTime]::ParseExact($startdate,$DateFormat,[System.Globalization.DateTimeFormatInfo]::InvariantInfo,[System.Globalization.DateTimeStyles]::None)`

Unfortunately this is a bad file to test with as there are a lot of audit results coming back in 48 hours.
It would also be better to place this in initialize-hawkglobalobject.ps1 that gets the start and end times.
I'm running out of time tonight to implement this fix so hopefully this would help someone else to get this working for the time being and I'll try implementing it later this week.

[sssseossss]

That is great if you fix this, however isn't it simpler to just convert directly in global settings with this short string:
$startdate=$startdate.ToString("MM.dd.yyyy");

[Absoblogginlutely]

Seems to be more complicated than that.
First if you provide the variable as 3/2/2019 meaning 3rd February 2019, the proposal I mentioned above will work (as long as the computer has been rebooted after changing the locale to UK). If you don't reboot then you get "string was not recognized as a valid datetime"
Conversely if you reboot and provide the leading zero's you get the same error but it works without the leading zero's.

In a machine that was US and switched to uk locale without rebooting, using the .tostring method returns 2 march 2019 00.00.00 which is incorrect (but it doesn't care about leading zeros or not). However after rebooting into a UK locale, you get an overload error:- $s=$startdate.tostring("MM.dd.yyyy")
Cannot find an overload for "tostring" and the argument count: "1".

[shannaniggans]

So i am currently trying to run this and the acceptable time format would be yyyy-MM-dd however Hawk is passing MM/dd/yyyy. This is for both the tenant investigation and the user investigation. Is there any fix for this?
Cannot process argument transformation on parameter 'StartDate'. Cannot convert value "15/01/2020" to type "Microsoft.Exchange.ExchangeSystem.ExDateTime". Error: "String was not recognized as a valid DateTime." + CategoryInfo : InvalidData: (:) [Search-UnifiedAuditLog], ParameterBindin...mationException + FullyQualifiedErrorId : ParameterArgumentTransformationError,Search-UnifiedAuditLog

and

`Get-Date : Cannot bind parameter 'Date'. Cannot convert value "01/20/2020 00:00:00" to type "System.DateTime". Error: "String was not recognized as a valid DateTime."
At C:\Program Files\WindowsPowerShell\Modules\HAWK\1.15.0\User\Get-HawkUserMailboxAuditing.ps1:65 char:44

•         [string]$RangeEnd = ((get-date $RangeStart).AddDays(5)).D ...
  

•                                        ~~~~~~~~~~~
  

  • CategoryInfo : InvalidArgument: (:) [Get-Date], ParameterBindingException`

[shannaniggans]

First Day of Search Window (1-90, Date, Default 90): 2020-02-01
Setting StartDate by Date to 02/01/2020 00:00:00

Last Day of search Window (1-90, date, Default Today): 2020-04-13
Setting EndDate by Date to 04/14/2020 00:00:00

Why convert to the american date/time format?

[howellzach]

It appears there used to be a fix for something similar within Get-HawkUserMailboxAuditing.ps1. It was commented out when @Canthv0 converted $hawk to store datetime object.

This is the bit that converted the date in Get-HawkUserMailboxAuditing:
[string]$RangeEnd = get-date ((Get-date ([datetime]::ParseExact($RangeStart, "MM/dd/yyyy", $null))).AddDays(5)) -UFormat %m/%d/%Y

Could this same line be applied to [datetime]$StartDate = $Hawk.StartDate and [datetime]$EndDate = $Hawk.EndDate in Hawk.psm1?

At the moment, my workaround for this is manually changing the regional format settings to English (United States) before running Hawk.

[shannaniggans]

Thanks @howellzd - I found that if i change the data formats and short date to yyyy-MM-dd instead of changing my settings to US that also worked (means i don't need to change back and forth).

[howellzach]

Thanks @howellzd - I found that if i change the data formats and short date to yyyy-MM-dd instead of changing my settings to US that also worked (means i don't need to change back and forth).

Right, I see.

It is annoying for people with non-US language settings if they stick with the default method of inputting the number of days of logs to pull (e.g. 90) or using "Today", they are going to face this issue.

[shannaniggans]

Yeah, I'm in Australia, i found that even if i typed in the US date format, or yyyy-mm-dd instead of the default 90 days i got the error. I have been using hawk today with just my short date set to yyyy-mm-dd without having to change any other setting to US format, so i think i can live with that. Both tenant and user investigations ran happily.

[samuelspronk]

Also over in Australia and having the same issue. Oher applications that require the shortdate to be correct break so changing that isn't ideal.

[kamilewski]

Hi. I have the same problem :/

[16.10.2020 08:16:54] - Search-UnifiedAuditLog -RecordType 'AzureActiveDirectory' -Operations 'Add OAuth2PermissionGrant.','Consent to application.' -StartDate '18.07.2020' -EndDate '17.10.2020' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 081654
Cannot process argument transformation on parameter 'StartDate'. Cannot convert value "18.07.2020" to type "Microsoft.E
xchange.ExchangeSystem.ExDateTime". Error: "String was not recognized as a valid DateTime."
+ CategoryInfo : InvalidData: (:) [Search-UnifiedAuditLog], ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Search-UnifiedAuditLog
+ PSComputerName : outlook.office365.com